Forwaded from 2600 List. Could anybody provide insight into commercial forensic tools, other then Encase, and which are regarded as the best? Cheers Dean -----Original Message----- From: Grant Bayley [mailto:gbayleyat_private] Sent: Wednesday, 17 April 2002 1:19 PM To: 2600-listat_private Cc: adamdat_private Subject: RE: [2600-AU] Forensic Tools Anthony, The reason for the question is probably mostly as follows: 1) You're generally using forensic tools like Encase (or any of the custom apps that some of the data recovery companies use) after someone's been caught, a warrant has been served etc etc and you're looking to see what's on a machine, what's happened on it, what's not on it, etc. 2) The critical thing with any of these tools is not what you know you can find on a hard drive, but what your expert witnesses can present in court as a finding. In other words, forensic examination of computer hard drives is as much about the strict handling and documentation of the process (ie the chain of evidence) as it is about what you end up finding on the hard drive. Tools like Encase and some of the custom tools cater for this need with extensive logging. I'm hoping Adam can jump in here with some suggestions on alternative commercial solutions to Encase, though as Scott mentioned, Adam's done some research and at least one seminar on some of the fairly basic yet fairly common open source tools that the recreational forensic examiner might like to use on their own machines. Hopefully this clarifies what Cameron was asking about. <blatant plug> It might also be worth posing the same question on wt-secure-sysadminat_private (Details here http://www.wiretapped.net/mailinglists.html). There's a different group of people on that list, so you may get a better answer there ...)) Grant On Wed, 17 Apr 2002, Cameron Wells wrote: > Thanks Ant...regardless of what you or I think with regard to skills and > out-witting people, not everyone has the ability or indeed inclination to > manually piece together snipits of captured packets, bitstreams, RAM or data > from wiped EXT2, FAT12, FAT16, FAT32 ETC filesystems... > > Like you, I am unfamiliar with the commercial tools available and thought > that the list may be able to provide some useful information and insight! > > -----Original Message----- > From: Anthony Symons [mailto:antat_private] > Sent: Wednesday, 17 April 2002 10:20 AM > To: 2600-listat_private > Subject: Re: [2600-AU] Forensic Tools > > Tools? I thought it was best to just be a skilled human and to > outwit/outskill the person your trying to bust. You need to think of > what they have missed. Im not sure you want or need commercial tools. > > Ant > > On Wed, 2002-04-17 at 08:50, Cameron Wells wrote: > > Hi List, > > > > could anyone offer some insight into the commercial computer forensic > tools > > in use around the world (other than Encase) and which, if any are regarded > > as 'the best'? > > > > Cheers > > > > Cam > > > > > > --------------------------------------------------------------------- > > The name of this list is: 2600-listat_private > > To unsubscribe, e-mail: 2600-list-unsubscribeat_private > > For additional commands, e-mail: 2600-list-helpat_private > > Note: Comments to this mailing list are owned by the poster. > > > -- > Systems Administrator > Pracom Ltd. > +61 8 82029074 -=- +61 402 100 671 > anthony.symonsat_private > > PRIVILEGED - PRIVATE AND CONFIDENTIAL > This electronic mail is solely for the use of the addressee and may > contain information which is confidential or privileged. > If you receive this electronic mail in error, please delete it from > your system immediately and notify the sender by electronic mail or > using any of the above contact details. > > > --------------------------------------------------------------------- > The name of this list is: 2600-listat_private > To unsubscribe, e-mail: 2600-list-unsubscribeat_private > For additional commands, e-mail: 2600-list-helpat_private > Note: Comments to this mailing list are owned by the poster. > > > > --------------------------------------------------------------------- > The name of this list is: 2600-listat_private > To unsubscribe, e-mail: 2600-list-unsubscribeat_private > For additional commands, e-mail: 2600-list-helpat_private > Note: Comments to this mailing list are owned by the poster. > --------------------------------------------------------------------- The name of this list is: 2600-listat_private To unsubscribe, e-mail: 2600-list-unsubscribeat_private For additional commands, e-mail: 2600-list-helpat_private Note: Comments to this mailing list are owned by the poster. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 06:32:56 PDT